ramnit | 3b47910e69e7050a8f0225fd3bdfc003802b392e12519f5f2413462e6481e47a

General

Target

719be2a7e0f7dfd0aba67017ec2966cb.exe
Size

220KB
MD5

719be2a7e0f7dfd0aba67017ec2966cb
SHA1

7f64efceb554aed2ddf665ebfca47eaa71ab3677
SHA256

3b47910e69e7050a8f0225fd3bdfc003802b392e12519f5f2413462e6481e47a
SHA512

ca95c58fc4d5aed75c1d6c6c95b799fde9c7665dcce3aab5c47971a53324977e0211206cd1f17659c4f5de3fda632dbacc0be62e5c79d8d4b384506856f4e143
SSDEEP

3072:GMsCUsER3Fx/asAm3jUWvUIYeMYqFquq8RnPZKlNkfKN5CS+t9CpZ+AS7P1ZBGjh:GMsCUpR35iLs8WD4HCGX7BGqy+lY

Score

10^/10

ramnit 26 ��1 banker persistence spyware stealer trojan worm

Malware Config

Extracted

Family

ramnit

Botnet

26

C2

��1:8001

Attributes

campaign_timestamp
1.505981184e+09
compile_timestamp
1.500910876e+09
dga_seed
7.90544302e+08
listen_port
0
num_dga_domains
40

xor.base64

rc4.plain

rsa_pubkey.base64

Extracted

Family

ramnit

Botnet

��1

C2

��1:8001

Attributes

campaign_timestamp
1.505981184e+09
compile_timestamp
1.500910876e+09
dga_seed
7.90544302e+08
listen_port
0
num_dga_domains
40

xor.base64

rc4.plain

rsa_pubkey.base64

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Deletes itself 1 IoCs

Processes:

wmplayer.exe

pid process

3008 wmplayer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hnvtxcwy = "C:\\Users\\Admin\\AppData\\Roaming\\hnvtxcwy\\wauvgwuh.vbs"	WScript.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exe

description	pid	process	target process
PID 4980 set thread context of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4980 set thread context of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe

Modifies registry class 1 IoCs

Processes:

wmplayer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings wmplayer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\Local Settings	wmplayer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

wmplayer.exe

pid	process
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe
3008	wmplayer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exe

pid process

4980 719be2a7e0f7dfd0aba67017ec2966cb.exe

pid	process
4980	719be2a7e0f7dfd0aba67017ec2966cb.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exewmplayer.exe

description	pid	process
Token: SeDebugPrivilege	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe
Token: SeSecurityPrivilege	3008	wmplayer.exe
Token: SeDebugPrivilege	3008	wmplayer.exe
Token: SeRestorePrivilege	3008	wmplayer.exe
Token: SeBackupPrivilege	3008	wmplayer.exe
Token: SeDebugPrivilege	3008	wmplayer.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

719be2a7e0f7dfd0aba67017ec2966cb.exewmplayer.exe

description	pid	process	target process
PID 4980 wrote to memory of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4980 wrote to memory of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4980 wrote to memory of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4980 wrote to memory of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4980 wrote to memory of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4980 wrote to memory of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 4980 wrote to memory of 3008	4980	719be2a7e0f7dfd0aba67017ec2966cb.exe	wmplayer.exe
PID 3008 wrote to memory of 3620	3008	wmplayer.exe	WScript.exe
PID 3008 wrote to memory of 3620	3008	wmplayer.exe	WScript.exe
PID 3008 wrote to memory of 3620	3008	wmplayer.exe	WScript.exe

C:\Users\Admin\AppData\Local\Temp\719be2a7e0f7dfd0aba67017ec2966cb.exe
"C:\Users\Admin\AppData\Local\Temp\719be2a7e0f7dfd0aba67017ec2966cb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
2⤵
- Deletes itself
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hnvtxcwy\egcleujc.vbs"
3⤵
- Adds Run key to start application
PID:3620

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\hnvtxcwy\egcleujc.vbs
Filesize
193B

MD5
4b5db122f9ddd488222c6b25cb7b165a

SHA1
f82689bccc194c041fd1458154f5fbe73ad48062

SHA256
4ae62b4e6df73ea2aeac97abf7589e879c3e5e4678f6e278870979361f14846a

SHA512
b967cc3fada2b7e544c5c9c8001104b740edf78508adf0bbc07ce143290c9f3d2526940b41c69dbbb2e941939210ae9895e2052b23de560fd6383ee4081f66b3

Download Submit
memory/3008-33-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-60-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-30-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-6-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-7-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-20-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-23-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-24-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-25-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-26-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-27-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-29-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-3-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-2-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-49-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-34-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-36-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-39-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-42-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-1-0x00000000011F0000-0x00000000011F1000-memory.dmp

Filesize
4KB

Download
memory/3008-47-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-31-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-52-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-54-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-56-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-59-0x00000000011B0000-0x00000000011F0000-memory.dmp

Filesize
256KB

Download
memory/3008-0-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads